Siemens-branded CCTV webcams require urgent firmware patch

Siemens-branded IP-based CCTV cameras are the latest internet-connected devices to be found vulnerable to hacking attacks.

In this particular instance, according to a security advisory issued by Siemens, the vulnerability – known as CVE-2016-9155 – could be remotely exploited by malicious attackers to trick CCTV cameras into revealing admin passwords:

The latest update for SIEMENS-branded IP-based CCTV cameras fixes a vulnerability that could allow a remote attacker to obtain administrative credentials from the integrated web server.

Until patches can be applied, restricting access to the integrated web server with appropriate mechanisms is recommended

The following CCTV camera models, built by Vanderbilt Industries who acquired Siemens’ security product line in June last year, are said to be at risk:

CCMW3025: All versions prior to 1.41_SP18_S1

CVMW3025-IR: All versions prior to 1.41_SP18_S1

CFMW3025: All versions prior to 1.41_SP18_S1

CCPW3025: All versions prior to 0.1.73_S1

CCPW5025: All versions prior to 0.1.73_S1

CCMD3025-DN18: All versions prior to v1.394_S1

CCID1445-DN18: All versions prior to v2635

CCID1445-DN28: All versions prior to v2635

CCID1445-DN36: All versions prior to v2635

CFIS1425: All versions prior to v2635

CCIS1425: All versions prior to v2635

CFMS2025: All versions prior to v2635

CCMS2025: All versions prior to v2635

CVMS2025-IR: All versions prior to v2635

CFMW1025: All versions prior to v2635

CCMW1025: All versions prior to v2635

The good news is that Vanderbilt has released updates for the vulnerable devices. The further good news is that, to date, there is no evidence that any malicious hackers have exploited the vulnerability.

There is bad news, however.

Firstly, it sounds as if the attack is relatively trivial for an attacker to pull off by sending a carefully-formed but simple HTTP request.

Additionally, it’s easy to predict that many of the vulnerable devices may not have patches applied to them in a prompt fashion (if at all) – a common problem with the Internet of Things.

Just making a patch available does not mean that the problem has gone away.

And that’s a problem. In the case of the Siemens-branded CCTV cameras they’re in use around the world at commercial facilities, in the healthcare industry and at government facilities. Not the kind of organizations that one imagines can afford to have their admin credentials leaked to cybercriminals.

This is, of course, far from the first time that flaws have been found in CCTV cameras that could be exploited by attackers.

For instance, last month there was a massive DDoS attack against domain name service Dyn, which in turn disrupted access to well-known sites such as Twitter, Pinterest, Reddit, and the Playstation network.

The DDoS attack was perpetrated by the Mirai botnet, powered by hijacked IoT devices, including hacked webcams.

As the Internet of (often insecure) Things expands, it poses a bigger threat to businesses and home users alike. ESET warned earlier this year that IoT would make more regular appearances in security headlines:

“For the future, the challenge for security in IoT is not restricted to the household. Technology keeps improving and time
and time again we see how governments, industries and markets in general are turning towards interconnectivity for all equipment, systems, and services. From market research to traffic systems, all things are being interconnected through existing technologies but, in certain cases, without the proper implementation of security protocols.”

It feels to me that when it comes to IoT security things are going to get worse before they have any hope of getting better.

And it’s also clear that news of the CCTV camera vulnerability has only added to a bad month for the Siemens brand in terms of security.

Earlier this month, the Department of Homeland Security’s ICS-CERT issued an alert that industrial control products developed by Siemens suffered from a local privilege escalation vulnerability that could leave SCADA equipment open to attack.